Search criteria
75 vulnerabilities found for Drupal core by Drupal
CVE-2025-13083 (GCVE-0-2025-13083)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:55 – Updated: 2025-11-18 20:31
VLAI?
Summary
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
CWE
- CWE-525 - Use of Web Browser Cache Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
Damien McKenna (damienmckenna)
tame4tex
Benji Fisher (benjifisher)
catch (catch)
Neil Drumm (drumm)
Lee Rowlands (larowlan)
Mingsong (mingsong)
Mohit Aghera (mohit_aghera)
James Gilliland (neclimdul)
Juraj Nemec (poker10)
Jess (xjm)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:31:33.666610Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:31:36.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "finder",
"value": "tame4tex"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mohit Aghera (mohit_aghera)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "James Gilliland (neclimdul)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-12T20:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-525",
"description": "CWE-525 Use of Web Browser Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:55:37.269Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-008"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13083",
"datePublished": "2025-11-18T16:55:37.269Z",
"dateReserved": "2025-11-12T18:26:39.713Z",
"dateUpdated": "2025-11-18T20:31:36.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13082 (GCVE-0-2025-13082)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:55 – Updated: 2025-11-18 20:32
VLAI?
Summary
User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
4.3 (Medium)
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
Kevin Quillen (kevinquillen)
Benji Fisher (benjifisher)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
Mingsong (mingsong)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:32:40.692859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:32:44.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Quillen (kevinquillen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-12T20:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:55:16.062Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-007"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Defacement - SA-CORE-2025-007",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13082",
"datePublished": "2025-11-18T16:55:16.062Z",
"dateReserved": "2025-11-12T18:26:38.404Z",
"dateUpdated": "2025-11-18T20:32:44.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13081 (GCVE-0-2025-13081)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:54 – Updated: 2025-11-19 04:55
VLAI?
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
5.9 (Medium)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
anzuukino
Anna Kalata (akalata)
catch (catch)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T04:55:19.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "anzuukino"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-12T18:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:54:56.214Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-006"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13081",
"datePublished": "2025-11-18T16:54:56.214Z",
"dateReserved": "2025-11-12T18:26:37.184Z",
"dateUpdated": "2025-11-19T04:55:19.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13080 (GCVE-0-2025-13080)
Vulnerability from cvelistv5 – Published: 2025-11-18 16:54 – Updated: 2025-11-18 20:35
VLAI?
Summary
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
5.3 (Medium)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
Dragos Dumitrescu (dragos-dumi)
yasser ALLAM (inzo_)
Nils Destoop (nils.destoop)
Sven Decabooter (svendecabooter)
zhero
Alex Pott (alexpott)
catch (catch)
cilefen (cilefen)
Jen Lampton (jenlampton)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Nils Destoop (nils.destoop)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
catch (catch)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:35:13.962818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:35:16.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dragos Dumitrescu (dragos-dumi)"
},
{
"lang": "en",
"type": "finder",
"value": "yasser ALLAM (inzo_)"
},
{
"lang": "en",
"type": "finder",
"value": "Nils Destoop (nils.destoop)"
},
{
"lang": "en",
"type": "finder",
"value": "Sven Decabooter (svendecabooter)"
},
{
"lang": "en",
"type": "finder",
"value": "zhero"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alex Pott (alexpott)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jen Lampton (jenlampton)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Nils Destoop (nils.destoop)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-11-12T18:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:54:32.042Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-005"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13080",
"datePublished": "2025-11-18T16:54:32.042Z",
"dateReserved": "2025-11-12T18:26:35.916Z",
"dateUpdated": "2025-11-18T20:35:16.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31675 (GCVE-0-2025-31675)
Vulnerability from cvelistv5 – Published: 2025-03-31 21:35 – Updated: 2025-04-29 15:45
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.3.14
(semver)
Affected: 10.4.0 , < 10.4.5 (semver) Affected: 11.0.0 , < 11.0.13 (semver) Affected: 11.1.0 , < 11.1.5 (semver) |
Credits
Samuel Mortenson (samuel.mortenson)
Benji Fisher (benjifisher)
Bram Driesen (bramdriesen)
Alex Bronstein (effulgentsia)
Jen Lampton (jenlampton)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Joseph Zhao (pandaski)
Adam G-H (phenaproxima)
Samuel Mortenson (samuel.mortenson)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-31675",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T18:21:31.894556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:45:10.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.3.14",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.4.5",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
},
{
"lessThan": "11.0.13",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.5",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Samuel Mortenson (samuel.mortenson)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alex Bronstein (effulgentsia)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jen Lampton (jenlampton)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joseph Zhao (pandaski)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Adam G-H (phenaproxima)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Samuel Mortenson (samuel.mortenson)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-03-19T18:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:35:20.059Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-004"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-31675",
"datePublished": "2025-03-31T21:35:20.059Z",
"dateReserved": "2025-03-31T21:30:04.614Z",
"dateUpdated": "2025-04-29T15:45:10.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31674 (GCVE-0-2025-31674)
Vulnerability from cvelistv5 – Published: 2025-03-31 21:34 – Updated: 2025-04-03 17:18
VLAI?
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Severity ?
7.5 (High)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.3.13
(semver)
Affected: 10.4.0 , < 10.4.3 (semver) Affected: 11.0.0 , < 11.0.12 (semver) Affected: 11.1.0 , < 11.1.3 (semver) |
Credits
anzuukino
shin24
ghost of drupal past
Dave Long (longwave)
Drew Webber (mcdruid)
nicxvan
shin24
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-31674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T17:16:59.770323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T17:18:14.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.3.13",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.4.3",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
},
{
"lessThan": "11.0.12",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.3",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "anzuukino"
},
{
"lang": "en",
"type": "finder",
"value": "shin24"
},
{
"lang": "en",
"type": "remediation developer",
"value": "ghost of drupal past"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "nicxvan"
},
{
"lang": "en",
"type": "remediation developer",
"value": "shin24"
}
],
"datePublic": "2025-02-19T17:03:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.\u003c/p\u003e"
}
],
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:34:53.144Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-003"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-31674",
"datePublished": "2025-03-31T21:34:53.144Z",
"dateReserved": "2025-03-31T21:30:04.614Z",
"dateUpdated": "2025-04-03T17:18:14.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31673 (GCVE-0-2025-31673)
Vulnerability from cvelistv5 – Published: 2025-03-31 21:34 – Updated: 2025-04-29 15:47
VLAI?
Summary
Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Severity ?
4.6 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.3.13
(semver)
Affected: 10.4.0 , < 10.4.3 (semver) Affected: 11.0.0 , < 11.0.12 (semver) Affected: 11.1.0 , < 11.1.3 (semver) |
Credits
jeff cardwell
Benji Fisher (benjifisher)
jeff cardwell
Mingsong (mingsong)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-31673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T15:47:04.474198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:47:25.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.3.13",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.4.3",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
},
{
"lessThan": "11.0.12",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.3",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "jeff cardwell"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "jeff cardwell"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-02-19T16:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:34:16.118Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-002"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-31673",
"datePublished": "2025-03-31T21:34:16.118Z",
"dateReserved": "2025-03-31T21:30:04.614Z",
"dateUpdated": "2025-04-29T15:47:25.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3057 (GCVE-0-2025-3057)
Vulnerability from cvelistv5 – Published: 2025-03-31 21:33 – Updated: 2025-04-01 13:29
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.3.13
(semver)
Affected: 10.4.0 , < 10.4.3 (semver) Affected: 11.0.0 , < 11.0.12 (semver) Affected: 11.1.0 , < 11.1.3 (semver) |
Credits
Arne (arkepp)
bdanin
Douglas Groene (dgroene)
Dragos Dumitrescu (dragos-dumi)
Flo Kosiol (flokosiol)
Gerardo Cadau (juanramonperez)
Justin Christoffersen (larsdesigns)
nuwans
Sven Decabooter (svendecabooter)
Will Gunn (wgunn_e)
catch (catch)
Drew Webber (mcdruid)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-3057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T13:26:50.934330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T13:29:23.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.3.13",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.4.3",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
},
{
"lessThan": "11.0.12",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.3",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arne (arkepp)"
},
{
"lang": "en",
"type": "finder",
"value": "bdanin"
},
{
"lang": "en",
"type": "finder",
"value": "Douglas Groene (dgroene)"
},
{
"lang": "en",
"type": "finder",
"value": "Dragos Dumitrescu (dragos-dumi)"
},
{
"lang": "en",
"type": "finder",
"value": "Flo Kosiol (flokosiol)"
},
{
"lang": "en",
"type": "finder",
"value": "Gerardo Cadau (juanramonperez)"
},
{
"lang": "en",
"type": "finder",
"value": "Justin Christoffersen (larsdesigns)"
},
{
"lang": "en",
"type": "finder",
"value": "nuwans"
},
{
"lang": "en",
"type": "finder",
"value": "Sven Decabooter (svendecabooter)"
},
{
"lang": "en",
"type": "finder",
"value": "Will Gunn (wgunn_e)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2025-02-19T16:49:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:33:30.184Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-001"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Critical - Cross site scripting - SA-CORE-2025-001",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-3057",
"datePublished": "2025-03-31T21:33:30.184Z",
"dateReserved": "2025-03-31T21:30:27.253Z",
"dateUpdated": "2025-04-01T13:29:23.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55638 (GCVE-0-2024-55638)
Vulnerability from cvelistv5 – Published: 2024-12-09 23:26 – Updated: 2024-12-16 17:11
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Severity ?
9.8 (Critical)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
7.0 , < 7.102
(semver)
Affected: 8.0.0 , < 10.2.11 (semver) Affected: 10.3.0 , < 10.3.9 (semver) |
Credits
Drew Webber
Drew Webber
Fabian Franz
Juraj Nemec
Lee Rowlands
Dave Long
Alex Pott
Juraj Nemec
Benji Fisher
xjm
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-55638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T21:19:33.752403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T21:20:00.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal/",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "7.102",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "10.2.11",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.3.9",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fabian Franz"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alex Pott"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "coordinator",
"value": "xjm"
}
],
"datePublic": "2024-11-21T03:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.\u003cp\u003eThis issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.\u003c/p\u003e\u003cp\u003eDrupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.\n\nDrupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:11:20.896Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-008"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-55638",
"datePublished": "2024-12-09T23:26:30.780Z",
"dateReserved": "2024-12-09T23:07:41.397Z",
"dateUpdated": "2024-12-16T17:11:20.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55637 (GCVE-0-2024-55637)
Vulnerability from cvelistv5 – Published: 2024-12-09 23:25 – Updated: 2024-12-16 17:10
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Severity ?
9.8 (Critical)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
8.0.0 , < 10.2.11
(semver)
Affected: 10.3.0 , < 10.3.9 (semver) Affected: 11.0.0 , < 11.0.8 (semver) |
Credits
Drew Webber
Drew Webber
Lee Rowlands
Juraj Nemec
Benji Fisher
xjm
Greg Knaddison
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-55637",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T21:20:25.792520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T21:20:49.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal/",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.2.11",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.3.9",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.8",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "coordinator",
"value": "xjm"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
}
],
"datePublic": "2024-11-21T03:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.\u003cp\u003eThis issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.\u003c/p\u003e\u003cp\u003eDrupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.\n\nDrupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:10:40.749Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-007"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-55637",
"datePublished": "2024-12-09T23:25:32.356Z",
"dateReserved": "2024-12-09T23:07:41.397Z",
"dateUpdated": "2024-12-16T17:10:40.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55636 (GCVE-0-2024-55636)
Vulnerability from cvelistv5 – Published: 2024-12-09 23:24 – Updated: 2024-12-16 17:09
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Severity ?
9.8 (Critical)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
8.0.0 , < 10.2.11
(semver)
Affected: 10.3.0 , < 10.3.9 (semver) Affected: 11.0.0 , < 11.0.8 (semver) |
Credits
Drew Webber
Drew Webber
Lee Rowlands
Juraj Nemec
Benji Fisher
xjm
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-55636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T21:21:16.176243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T21:21:39.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal/",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.2.11",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.3.9",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.8",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "coordinator",
"value": "xjm"
}
],
"datePublic": "2024-11-21T03:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.\u003cp\u003eThis issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDrupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.\n\nDrupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:09:36.830Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-006"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Less critical - Gadget chain - SA-CORE-2024-006",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-55636",
"datePublished": "2024-12-09T23:24:27.729Z",
"dateReserved": "2024-12-09T23:07:41.397Z",
"dateUpdated": "2024-12-16T17:09:36.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55635 (GCVE-0-2024-55635)
Vulnerability from cvelistv5 – Published: 2024-12-09 23:23 – Updated: 2024-12-10 21:18
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
7.0 , < 7.102
(semver)
|
Credits
Cesar
Greg Knaddison
Matthew Grill
Wim Leers
Drew Webber
Ra Mänd
Fabian Franz
Juraj Nemec
xjm
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-55635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T21:17:31.860803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T21:18:04.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal/",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "7.102",
"status": "affected",
"version": "7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Cesar"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Greg Knaddison"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Matthew Grill"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Wim Leers"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00e4nd"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fabian Franz"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "xjm"
}
],
"datePublic": "2024-11-21T03:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Drupal Core allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal Core: from 7.0 before 7.102.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T23:23:38.742Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-005"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-55635",
"datePublished": "2024-12-09T23:23:38.742Z",
"dateReserved": "2024-12-09T23:07:41.397Z",
"dateUpdated": "2024-12-10T21:18:04.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55634 (GCVE-0-2024-55634)
Vulnerability from cvelistv5 – Published: 2024-12-09 23:21 – Updated: 2024-12-11 16:39
VLAI?
Summary
A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Severity ?
8.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
8.0.0 , < 10.2.11
(semver)
Affected: 10.3.0 , < 10.3.9 (semver) Affected: 11.0.0 , < 11.0.8 (semver) |
Credits
Wayne Eaker
Wayne Eaker
cilefen
Kristiaan Van den Eynde
Drew Webber
Lee Rowlands
Benji Fisher
Juraj Nemec
xjm
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-55634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T16:38:29.920886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T16:39:12.440Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal/",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.2.11",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.3.9",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.8",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wayne Eaker"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Wayne Eaker"
},
{
"lang": "en",
"type": "remediation developer",
"value": "cilefen"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Kristiaan Van den Eynde"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "xjm"
}
],
"datePublic": "2024-11-21T03:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in Drupal Core allows Privilege Escalation.\u003cp\u003eThis issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.\u003c/p\u003e"
}
],
"value": "A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178 Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-289",
"description": "CWE-289",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T23:21:15.943Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-004"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-55634",
"datePublished": "2024-12-09T23:21:15.943Z",
"dateReserved": "2024-12-09T23:07:41.397Z",
"dateUpdated": "2024-12-11T16:39:12.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12393 (GCVE-0-2024-12393)
Vulnerability from cvelistv5 – Published: 2024-12-09 23:20 – Updated: 2024-12-11 16:37
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
8.8.0 , < 10.2.11
(semver)
Affected: 10.3.0 , < 10.3.9 (semver) Affected: 11.0.0 , < 11.0.8 (semver) |
Credits
Jay Beaton
Lee Rowlands
catch
Mingsong
Juraj Nemec
Dave Long
Benji Fisher
Juraj Nemec
Greg Knaddison
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-12393",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T16:36:16.500387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T16:37:08.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal/",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.2.11",
"status": "affected",
"version": "8.8.0",
"versionType": "semver"
},
{
"lessThan": "10.3.9",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.8",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jay Beaton"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
}
],
"datePublic": "2024-11-21T03:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Drupal Core allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T23:20:31.719Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-003"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-12393",
"datePublished": "2024-12-09T23:20:31.719Z",
"dateReserved": "2024-12-09T23:07:48.514Z",
"dateUpdated": "2024-12-11T16:37:08.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11942 (GCVE-0-2024-11942)
Vulnerability from cvelistv5 – Published: 2024-12-05 14:42 – Updated: 2024-12-05 15:41
VLAI?
Summary
A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.
Severity ?
5.9 (Medium)
CWE
- CWE-390 - Detection of Error Condition Without Action
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
10.0.0 , < 10.2.10
(semver)
|
Credits
Pierre Rudloff
catch
Lee Rowlands
Benji Fisher
Kim Pepper
Wim Leers
xjm
Dave Long
Juraj Nemec
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:drupal:drupal_core:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "drupal_core",
"vendor": "drupal",
"versions": [
{
"lessThan": "10.2.10",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-11942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T15:32:51.782373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T15:41:56.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.2.10",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Kim Pepper"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Wim Leers"
},
{
"lang": "en",
"type": "remediation developer",
"value": "xjm"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
}
],
"datePublic": "2024-10-17T00:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in Drupal Core allows File Manipulation.\u003cp\u003eThis issue affects Drupal Core: from 10.0.0 before 10.2.10.\u003c/p\u003e"
}
],
"value": "A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10."
}
],
"impacts": [
{
"capecId": "CAPEC-165",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-165 File Manipulation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-390",
"description": "CWE-390 Detection of Error Condition Without Action",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T14:42:07.812Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-002"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-11942",
"datePublished": "2024-12-05T14:42:07.812Z",
"dateReserved": "2024-11-27T23:16:49.385Z",
"dateUpdated": "2024-12-05T15:41:56.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-13083 (GCVE-0-2025-13083)
Vulnerability from nvd – Published: 2025-11-18 16:55 – Updated: 2025-11-18 20:31
VLAI?
Summary
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
CWE
- CWE-525 - Use of Web Browser Cache Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
Damien McKenna (damienmckenna)
tame4tex
Benji Fisher (benjifisher)
catch (catch)
Neil Drumm (drumm)
Lee Rowlands (larowlan)
Mingsong (mingsong)
Mohit Aghera (mohit_aghera)
James Gilliland (neclimdul)
Juraj Nemec (poker10)
Jess (xjm)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:31:33.666610Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:31:36.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damien McKenna (damienmckenna)"
},
{
"lang": "en",
"type": "finder",
"value": "tame4tex"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mohit Aghera (mohit_aghera)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "James Gilliland (neclimdul)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-12T20:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-525",
"description": "CWE-525 Use of Web Browser Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:55:37.269Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-008"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13083",
"datePublished": "2025-11-18T16:55:37.269Z",
"dateReserved": "2025-11-12T18:26:39.713Z",
"dateUpdated": "2025-11-18T20:31:36.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13082 (GCVE-0-2025-13082)
Vulnerability from nvd – Published: 2025-11-18 16:55 – Updated: 2025-11-18 20:32
VLAI?
Summary
User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
4.3 (Medium)
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
Kevin Quillen (kevinquillen)
Benji Fisher (benjifisher)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Drew Webber (mcdruid)
Mingsong (mingsong)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:32:40.692859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:32:44.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Quillen (kevinquillen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-12T20:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:55:16.062Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-007"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Defacement - SA-CORE-2025-007",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13082",
"datePublished": "2025-11-18T16:55:16.062Z",
"dateReserved": "2025-11-12T18:26:38.404Z",
"dateUpdated": "2025-11-18T20:32:44.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13081 (GCVE-0-2025-13081)
Vulnerability from nvd – Published: 2025-11-18 16:54 – Updated: 2025-11-19 04:55
VLAI?
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
5.9 (Medium)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
anzuukino
Anna Kalata (akalata)
catch (catch)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
catch (catch)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T04:55:19.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "anzuukino"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Anna Kalata (akalata)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-11-12T18:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:54:56.214Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-006"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13081",
"datePublished": "2025-11-18T16:54:56.214Z",
"dateReserved": "2025-11-12T18:26:37.184Z",
"dateUpdated": "2025-11-19T04:55:19.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13080 (GCVE-0-2025-13080)
Vulnerability from nvd – Published: 2025-11-18 16:54 – Updated: 2025-11-18 20:35
VLAI?
Summary
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.
Severity ?
5.3 (Medium)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.4.9
(semver)
Affected: 10.5.0 , < 10.5.6 (semver) Affected: 11.0.0 , < 11.1.9 (semver) Affected: 11.2.0 , < 11.2.8 (semver) |
Credits
Dragos Dumitrescu (dragos-dumi)
yasser ALLAM (inzo_)
Nils Destoop (nils.destoop)
Sven Decabooter (svendecabooter)
zhero
Alex Pott (alexpott)
catch (catch)
cilefen (cilefen)
Jen Lampton (jenlampton)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Nils Destoop (nils.destoop)
Juraj Nemec (poker10)
Ra Mänd (ram4nd)
Jess (xjm)
catch (catch)
Greg Knaddison (greggles)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Juraj Nemec (poker10)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:35:13.962818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:35:16.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.4.9",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.5.6",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
},
{
"lessThan": "11.1.9",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.2.8",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dragos Dumitrescu (dragos-dumi)"
},
{
"lang": "en",
"type": "finder",
"value": "yasser ALLAM (inzo_)"
},
{
"lang": "en",
"type": "finder",
"value": "Nils Destoop (nils.destoop)"
},
{
"lang": "en",
"type": "finder",
"value": "Sven Decabooter (svendecabooter)"
},
{
"lang": "en",
"type": "finder",
"value": "zhero"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alex Pott (alexpott)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "cilefen (cilefen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jen Lampton (jenlampton)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Nils Destoop (nils.destoop)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00c3\u00a4nd (ram4nd)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-11-12T18:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.\u003c/p\u003e"
}
],
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:54:32.042Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-005"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-13080",
"datePublished": "2025-11-18T16:54:32.042Z",
"dateReserved": "2025-11-12T18:26:35.916Z",
"dateUpdated": "2025-11-18T20:35:16.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31675 (GCVE-0-2025-31675)
Vulnerability from nvd – Published: 2025-03-31 21:35 – Updated: 2025-04-29 15:45
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.3.14
(semver)
Affected: 10.4.0 , < 10.4.5 (semver) Affected: 11.0.0 , < 11.0.13 (semver) Affected: 11.1.0 , < 11.1.5 (semver) |
Credits
Samuel Mortenson (samuel.mortenson)
Benji Fisher (benjifisher)
Bram Driesen (bramdriesen)
Alex Bronstein (effulgentsia)
Jen Lampton (jenlampton)
Lee Rowlands (larowlan)
Dave Long (longwave)
Drew Webber (mcdruid)
Joseph Zhao (pandaski)
Adam G-H (phenaproxima)
Samuel Mortenson (samuel.mortenson)
Jess (xjm)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-31675",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T18:21:31.894556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:45:10.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.3.14",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.4.5",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
},
{
"lessThan": "11.0.13",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.5",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Samuel Mortenson (samuel.mortenson)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alex Bronstein (effulgentsia)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jen Lampton (jenlampton)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands (larowlan)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Joseph Zhao (pandaski)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Adam G-H (phenaproxima)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Samuel Mortenson (samuel.mortenson)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jess (xjm)"
}
],
"datePublic": "2025-03-19T18:54:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:35:20.059Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-004"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-31675",
"datePublished": "2025-03-31T21:35:20.059Z",
"dateReserved": "2025-03-31T21:30:04.614Z",
"dateUpdated": "2025-04-29T15:45:10.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31674 (GCVE-0-2025-31674)
Vulnerability from nvd – Published: 2025-03-31 21:34 – Updated: 2025-04-03 17:18
VLAI?
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Severity ?
7.5 (High)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.3.13
(semver)
Affected: 10.4.0 , < 10.4.3 (semver) Affected: 11.0.0 , < 11.0.12 (semver) Affected: 11.1.0 , < 11.1.3 (semver) |
Credits
anzuukino
shin24
ghost of drupal past
Dave Long (longwave)
Drew Webber (mcdruid)
nicxvan
shin24
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-31674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T17:16:59.770323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T17:18:14.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.3.13",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.4.3",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
},
{
"lessThan": "11.0.12",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.3",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "anzuukino"
},
{
"lang": "en",
"type": "finder",
"value": "shin24"
},
{
"lang": "en",
"type": "remediation developer",
"value": "ghost of drupal past"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long (longwave)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "nicxvan"
},
{
"lang": "en",
"type": "remediation developer",
"value": "shin24"
}
],
"datePublic": "2025-02-19T17:03:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.\u003c/p\u003e"
}
],
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:34:53.144Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-003"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-31674",
"datePublished": "2025-03-31T21:34:53.144Z",
"dateReserved": "2025-03-31T21:30:04.614Z",
"dateUpdated": "2025-04-03T17:18:14.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31673 (GCVE-0-2025-31673)
Vulnerability from nvd – Published: 2025-03-31 21:34 – Updated: 2025-04-29 15:47
VLAI?
Summary
Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Severity ?
4.6 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.3.13
(semver)
Affected: 10.4.0 , < 10.4.3 (semver) Affected: 11.0.0 , < 11.0.12 (semver) Affected: 11.1.0 , < 11.1.3 (semver) |
Credits
jeff cardwell
Benji Fisher (benjifisher)
jeff cardwell
Mingsong (mingsong)
Juraj Nemec (poker10)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-31673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T15:47:04.474198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:47:25.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.3.13",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.4.3",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
},
{
"lessThan": "11.0.12",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.3",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "jeff cardwell"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "jeff cardwell"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong (mingsong)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2025-02-19T16:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:34:16.118Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-002"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-31673",
"datePublished": "2025-03-31T21:34:16.118Z",
"dateReserved": "2025-03-31T21:30:04.614Z",
"dateUpdated": "2025-04-29T15:47:25.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3057 (GCVE-0-2025-3057)
Vulnerability from nvd – Published: 2025-03-31 21:33 – Updated: 2025-04-01 13:29
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal core |
Affected:
8.0.0 , < 10.3.13
(semver)
Affected: 10.4.0 , < 10.4.3 (semver) Affected: 11.0.0 , < 11.0.12 (semver) Affected: 11.1.0 , < 11.1.3 (semver) |
Credits
Arne (arkepp)
bdanin
Douglas Groene (dgroene)
Dragos Dumitrescu (dragos-dumi)
Flo Kosiol (flokosiol)
Gerardo Cadau (juanramonperez)
Justin Christoffersen (larsdesigns)
nuwans
Sven Decabooter (svendecabooter)
Will Gunn (wgunn_e)
catch (catch)
Drew Webber (mcdruid)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-3057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T13:26:50.934330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T13:29:23.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.3.13",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.4.3",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
},
{
"lessThan": "11.0.12",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
},
{
"lessThan": "11.1.3",
"status": "affected",
"version": "11.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arne (arkepp)"
},
{
"lang": "en",
"type": "finder",
"value": "bdanin"
},
{
"lang": "en",
"type": "finder",
"value": "Douglas Groene (dgroene)"
},
{
"lang": "en",
"type": "finder",
"value": "Dragos Dumitrescu (dragos-dumi)"
},
{
"lang": "en",
"type": "finder",
"value": "Flo Kosiol (flokosiol)"
},
{
"lang": "en",
"type": "finder",
"value": "Gerardo Cadau (juanramonperez)"
},
{
"lang": "en",
"type": "finder",
"value": "Justin Christoffersen (larsdesigns)"
},
{
"lang": "en",
"type": "finder",
"value": "nuwans"
},
{
"lang": "en",
"type": "finder",
"value": "Sven Decabooter (svendecabooter)"
},
{
"lang": "en",
"type": "finder",
"value": "Will Gunn (wgunn_e)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch (catch)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber (mcdruid)"
}
],
"datePublic": "2025-02-19T16:49:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T21:33:30.184Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2025-001"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Critical - Cross site scripting - SA-CORE-2025-001",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2025-3057",
"datePublished": "2025-03-31T21:33:30.184Z",
"dateReserved": "2025-03-31T21:30:27.253Z",
"dateUpdated": "2025-04-01T13:29:23.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55638 (GCVE-0-2024-55638)
Vulnerability from nvd – Published: 2024-12-09 23:26 – Updated: 2024-12-16 17:11
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Severity ?
9.8 (Critical)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
7.0 , < 7.102
(semver)
Affected: 8.0.0 , < 10.2.11 (semver) Affected: 10.3.0 , < 10.3.9 (semver) |
Credits
Drew Webber
Drew Webber
Fabian Franz
Juraj Nemec
Lee Rowlands
Dave Long
Alex Pott
Juraj Nemec
Benji Fisher
xjm
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-55638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T21:19:33.752403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T21:20:00.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal/",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "7.102",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "10.2.11",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.3.9",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fabian Franz"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alex Pott"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "coordinator",
"value": "xjm"
}
],
"datePublic": "2024-11-21T03:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.\u003cp\u003eThis issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.\u003c/p\u003e\u003cp\u003eDrupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.\n\nDrupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:11:20.896Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-008"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-55638",
"datePublished": "2024-12-09T23:26:30.780Z",
"dateReserved": "2024-12-09T23:07:41.397Z",
"dateUpdated": "2024-12-16T17:11:20.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55637 (GCVE-0-2024-55637)
Vulnerability from nvd – Published: 2024-12-09 23:25 – Updated: 2024-12-16 17:10
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Severity ?
9.8 (Critical)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
8.0.0 , < 10.2.11
(semver)
Affected: 10.3.0 , < 10.3.9 (semver) Affected: 11.0.0 , < 11.0.8 (semver) |
Credits
Drew Webber
Drew Webber
Lee Rowlands
Juraj Nemec
Benji Fisher
xjm
Greg Knaddison
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-55637",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T21:20:25.792520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T21:20:49.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal/",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.2.11",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.3.9",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.8",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "coordinator",
"value": "xjm"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
}
],
"datePublic": "2024-11-21T03:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.\u003cp\u003eThis issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.\u003c/p\u003e\u003cp\u003eDrupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.\n\nDrupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called gadget chain presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:10:40.749Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-007"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-55637",
"datePublished": "2024-12-09T23:25:32.356Z",
"dateReserved": "2024-12-09T23:07:41.397Z",
"dateUpdated": "2024-12-16T17:10:40.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55636 (GCVE-0-2024-55636)
Vulnerability from nvd – Published: 2024-12-09 23:24 – Updated: 2024-12-16 17:09
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Severity ?
9.8 (Critical)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
8.0.0 , < 10.2.11
(semver)
Affected: 10.3.0 , < 10.3.9 (semver) Affected: 11.0.0 , < 11.0.8 (semver) |
Credits
Drew Webber
Drew Webber
Lee Rowlands
Juraj Nemec
Benji Fisher
xjm
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-55636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T21:21:16.176243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T21:21:39.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal/",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.2.11",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.3.9",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.8",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "coordinator",
"value": "xjm"
}
],
"datePublic": "2024-11-21T03:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.\u003cp\u003eThis issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDrupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.\n\nDrupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so called gadget chain presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:09:36.830Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-006"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Less critical - Gadget chain - SA-CORE-2024-006",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-55636",
"datePublished": "2024-12-09T23:24:27.729Z",
"dateReserved": "2024-12-09T23:07:41.397Z",
"dateUpdated": "2024-12-16T17:09:36.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55635 (GCVE-0-2024-55635)
Vulnerability from nvd – Published: 2024-12-09 23:23 – Updated: 2024-12-10 21:18
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
7.0 , < 7.102
(semver)
|
Credits
Cesar
Greg Knaddison
Matthew Grill
Wim Leers
Drew Webber
Ra Mänd
Fabian Franz
Juraj Nemec
xjm
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-55635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T21:17:31.860803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T21:18:04.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal/",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "7.102",
"status": "affected",
"version": "7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Cesar"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Greg Knaddison"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Matthew Grill"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Wim Leers"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ra M\u00e4nd"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Fabian Franz"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "xjm"
}
],
"datePublic": "2024-11-21T03:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Drupal Core allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal Core: from 7.0 before 7.102.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T23:23:38.742Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-005"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-55635",
"datePublished": "2024-12-09T23:23:38.742Z",
"dateReserved": "2024-12-09T23:07:41.397Z",
"dateUpdated": "2024-12-10T21:18:04.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55634 (GCVE-0-2024-55634)
Vulnerability from nvd – Published: 2024-12-09 23:21 – Updated: 2024-12-11 16:39
VLAI?
Summary
A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Severity ?
8.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
8.0.0 , < 10.2.11
(semver)
Affected: 10.3.0 , < 10.3.9 (semver) Affected: 11.0.0 , < 11.0.8 (semver) |
Credits
Wayne Eaker
Wayne Eaker
cilefen
Kristiaan Van den Eynde
Drew Webber
Lee Rowlands
Benji Fisher
Juraj Nemec
xjm
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-55634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T16:38:29.920886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T16:39:12.440Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal/",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.2.11",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "10.3.9",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.8",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wayne Eaker"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Wayne Eaker"
},
{
"lang": "en",
"type": "remediation developer",
"value": "cilefen"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Kristiaan Van den Eynde"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Drew Webber"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "xjm"
}
],
"datePublic": "2024-11-21T03:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in Drupal Core allows Privilege Escalation.\u003cp\u003eThis issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.\u003c/p\u003e"
}
],
"value": "A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178 Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-289",
"description": "CWE-289",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T23:21:15.943Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-004"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-55634",
"datePublished": "2024-12-09T23:21:15.943Z",
"dateReserved": "2024-12-09T23:07:41.397Z",
"dateUpdated": "2024-12-11T16:39:12.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12393 (GCVE-0-2024-12393)
Vulnerability from nvd – Published: 2024-12-09 23:20 – Updated: 2024-12-11 16:37
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
8.8.0 , < 10.2.11
(semver)
Affected: 10.3.0 , < 10.3.9 (semver) Affected: 11.0.0 , < 11.0.8 (semver) |
Credits
Jay Beaton
Lee Rowlands
catch
Mingsong
Juraj Nemec
Dave Long
Benji Fisher
Juraj Nemec
Greg Knaddison
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-12393",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T16:36:16.500387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T16:37:08.457Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal/",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"repo": "https://git.drupalcode.org/project/drupal",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.2.11",
"status": "affected",
"version": "8.8.0",
"versionType": "semver"
},
{
"lessThan": "10.3.9",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"lessThan": "11.0.8",
"status": "affected",
"version": "11.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jay Beaton"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mingsong"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Dave Long"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison"
}
],
"datePublic": "2024-11-21T03:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Drupal Core allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T23:20:31.719Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-003"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-12393",
"datePublished": "2024-12-09T23:20:31.719Z",
"dateReserved": "2024-12-09T23:07:48.514Z",
"dateUpdated": "2024-12-11T16:37:08.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11942 (GCVE-0-2024-11942)
Vulnerability from nvd – Published: 2024-12-05 14:42 – Updated: 2024-12-05 15:41
VLAI?
Summary
A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10.
Severity ?
5.9 (Medium)
CWE
- CWE-390 - Detection of Error Condition Without Action
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Drupal | Drupal Core |
Affected:
10.0.0 , < 10.2.10
(semver)
|
Credits
Pierre Rudloff
catch
Lee Rowlands
Benji Fisher
Kim Pepper
Wim Leers
xjm
Dave Long
Juraj Nemec
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:drupal:drupal_core:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "drupal_core",
"vendor": "drupal",
"versions": [
{
"lessThan": "10.2.10",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-11942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T15:32:51.782373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T15:41:56.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/drupal",
"defaultStatus": "unaffected",
"product": "Drupal Core",
"vendor": "Drupal",
"versions": [
{
"lessThan": "10.2.10",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pierre Rudloff"
},
{
"lang": "en",
"type": "remediation developer",
"value": "catch"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lee Rowlands"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Kim Pepper"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Wim Leers"
},
{
"lang": "en",
"type": "remediation developer",
"value": "xjm"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec"
}
],
"datePublic": "2024-10-17T00:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in Drupal Core allows File Manipulation.\u003cp\u003eThis issue affects Drupal Core: from 10.0.0 before 10.2.10.\u003c/p\u003e"
}
],
"value": "A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10."
}
],
"impacts": [
{
"capecId": "CAPEC-165",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-165 File Manipulation"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-390",
"description": "CWE-390 Detection of Error Condition Without Action",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T14:42:07.812Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-core-2024-002"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2024-11942",
"datePublished": "2024-12-05T14:42:07.812Z",
"dateReserved": "2024-11-27T23:16:49.385Z",
"dateUpdated": "2024-12-05T15:41:56.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}